CVE-2016-0791Sensitive Information Exposure in Jenkins

CWE-200Sensitive Information Exposure8 documents7 sources
Severity
9.8CRITICALNVD
EPSS
0.5%
top 35.44%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
JenkinsRedhat Openshift
Timeline
PublishedApr 7
Latest updateMay 14

Description

Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force approach.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

NVDjenkins/jenkins1.649+1

Patches

Patch: wiki.jenkins-ci.orgPatch: wiki.jenkins-ci.org

🔴Vulnerability Details

3
GHSA
Exposure of Sensitive Information in Jenkins Core2022-05-14
OSV
Exposure of Sensitive Information in Jenkins Core2022-05-14
CVEList
CVE-2016-0791: Jenkins before 12016-04-07

📋Vendor Advisories

2
Red Hat
jenkins: Non-constant time comparison of CSRF crumbs (SECURITY-245)2016-02-24
Jenkins
Jenkins Security Advisory 2016-02-242016-02-24

💬Community

2
Bugzilla
CVE-2016-0788 CVE-2016-0789 CVE-2016-0790 CVE-2016-0791 CVE-2016-0792 jenkins: security advisory 2016-02-24 [fedora-all]2016-02-25
Bugzilla
CVE-2016-0791 jenkins: Non-constant time comparison of CSRF crumbs (SECURITY-245)2016-02-25
CVE-2016-0791 — Sensitive Information Exposure | cvebase